From 4cc2b8f955033c2131c789262ebdb41e89307b3e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 13 Oct 2024 20:13:37 +0900 Subject: [PATCH] fix: make group-by optional for correlation --- src/detections/rule/correlation_parser.rs | 29 ++++++++++------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/src/detections/rule/correlation_parser.rs b/src/detections/rule/correlation_parser.rs index 37d010678..843ff066d 100644 --- a/src/detections/rule/correlation_parser.rs +++ b/src/detections/rule/correlation_parser.rs @@ -122,27 +122,24 @@ fn get_related_rules_id(yaml: &Yaml) -> Result, Box> { Ok(rules) } -fn get_group_by_from_yaml(yaml: &Yaml) -> Result> { +fn get_group_by_from_yaml(yaml: &Yaml) -> Result, Box> { let correlation = yaml["correlation"] .as_hash() .ok_or("Failed to get 'correlation'")?; - let group_by_yaml = correlation - .get(&Yaml::String("group-by".to_string())) - .ok_or("Failed to get 'group-by'")?; + let group_by_yaml = match correlation.get(&Yaml::String("group-by".to_string())) { + Some(value) => value, + None => return Ok(None), + }; let mut group_by = Vec::new(); - for group_by_yaml in group_by_yaml - .as_vec() - .ok_or("Failed to convert 'group-by' to Vec")? - { - let group = group_by_yaml - .as_str() - .ok_or("Failed to convert group to string")? - .to_string(); - group_by.push(group); + if let Some(group_by_vec) = group_by_yaml.as_vec() { + for group_by_yaml in group_by_vec { + if let Some(group) = group_by_yaml.as_str() { + group_by.push(group.to_string()); + } + } } - - Ok(group_by.join(",")) + Ok(Some(group_by.join(","))) } fn parse_tframe(value: String) -> Result> { let ttype; @@ -202,7 +199,7 @@ fn create_detection( let nodes = to_or_selection_node(related_rule_nodes); let agg_info = AggregationParseInfo { _field_name: condition.2, - _by_field_name: Some(group_by), + _by_field_name: group_by, _cmp_op: condition.0, _cmp_num: condition.1, };